CybersecurityFive hot topics to be discussed at Black Hat and Defcon
Among the many topics to be discussed at Black Hat, which opens today, and DefCon, which opens Friday, is SCADA networks vulnerability; many of these networks have developed a no man’s land between IT and industrial systems, and these networks’ computers are often at risk because nobody seems to take complete ownership of them; there will be a talk about where bugs show up in the infrastructure; the speaker is Jonathan Pollet, whose company, Red Tiger Security, has collected data on 38,000 vulnerabilities — and the types of exploits that have been written for them
Black Hat and Defcon conferences — the first opens today, the second on Friday, both in Las Vegas — have a schedule, but the more interesting things in both tend to be unpredictable. IDG’s Robert McMillan writes in PCWorld that the reason why these more interesting stories pop up at the last minute is that hackers tend to hold off on disclosing the really big talks because they do not want jittery lawyers to shut them down.
1. Hitting the ATM Jackpot. This year’s most-anticipated talk comes from Barnaby Jack, formerly of Juniper Networks. Jack has been toying around with ATMs (automated teller machines) for the past few years and is ready to talk about some of the bugs he has found in the products. McMillan notes that ATMs are a green field for vulnerability researchers, and quotes Black Hat conference director Jeff Moss to say that the work on ATM bugs is reminiscent of the voting machine research that came out a few years ago — which showed serious security vulnerabilities in the systems and caused many government agencies to rethink the way they were rolling out e-voting.
Jack’s talk is controversial. Juniper pulled it at the last minute ahead of last year’s Black Hat conference, at the request of ATM makers. Now working for a new company, IOActive, Jack plans to show several new ways of attacking ATMs, including remote attacks. He will also reveal what he calls a “multi-platform ATM rootkit,” according to a description of his talk.
“I’ve always liked the scene in ‘Terminator 2’ where John Connor walks up to an ATM, interfaces his Atari to the card reader and retrieves cash from the machine. I think I’ve got that kid beat,” Jack writes in his abstract.
2. DNS. Two years ago Dan Kaminsky made headlines by uncovering a flaw in the DNS (Domain Name System) used to look up the addresses of computers on the Internet (“Kaminsky offers details of DNS flaw,” 7 August 2008 HSNW). This year, Kaminsky is speaking again at Black Hat — this time on Web security tools. He has also been tapped to participate in a press conference where he and representatives from ICANN (Internet Corporation For Assigned Names and Numbers) and VeriSign will discuss Domain Name System Security Extensions (DNSSEC) — a new
